diff options
author | Remi Collet <remi@remirepo.net> | 2018-12-10 18:15:14 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2018-12-10 18:15:14 +0100 |
commit | 474971c0b5e4ce5b004b726ece8ee41c57181ea7 (patch) | |
tree | 5dcc410438cfa0754c7e0b5446822478884ac50d /bug77231.patch | |
parent | 8d7778b180a2bae4dd69f32c3d3b404784f78ff5 (diff) |
Fix #77231 Segfault when using convert.quoted-printable-encode filter
Fix #77020 null pointer dereference in imap_mail CVE-2018-19935
Fix #77153 imap_open allows to run arbitrary shell commands via mailbox parameter CVE-2018-19158
Diffstat (limited to 'bug77231.patch')
-rw-r--r-- | bug77231.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/bug77231.patch b/bug77231.patch new file mode 100644 index 0000000..e805ade --- /dev/null +++ b/bug77231.patch @@ -0,0 +1,46 @@ +Backported for 5.4/5.5, from 5.6, by Remi + + +From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 3 Dec 2018 02:12:11 -0800 +Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231) + +--- + NEWS | 4 ++++ + ext/standard/filters.c | 2 +- + ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++ + 3 files changed, 16 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/filters/bug77231.phpt + +diff --git a/ext/standard/filters.c b/ext/standard/filters.c +index dc7b0d86dcd3..9718a45be25e 100644 +--- a/ext/standard/filters.c ++++ b/ext/standard/filters.c +@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins + line_ccnt--; + CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt); + } else { +- if (line_ccnt < 4) { ++ if (line_ccnt < 4 && inst->lbchars != NULL) { + if (ocnt < inst->lbchars_len + 1) { + err = PHP_CONV_ERR_TOO_BIG; + break; +diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt +new file mode 100644 +index 000000000000..17967ee80fc5 +--- /dev/null ++++ b/ext/standard/tests/filters/bug77231.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #77231 (Segfault when using convert.quoted-printable-encode filter) ++--FILE-- ++<?php ++var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA'))); ++?> ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA" ++} +\ No newline at end of file |